Bug 983551 - SELinux blocks OpenDMARC (<-> Postfix)
SELinux blocks OpenDMARC (<-> Postfix)
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
Depends On:
Blocks: 905304
  Show dependency treegraph
Reported: 2013-07-11 08:56 EDT by Patrick
Modified: 2014-05-15 10:52 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-228.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-21 05:45:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Patrick 2013-07-11 08:56:55 EDT
Description of problem:
SELinux does not yet have a policy for OpenDMARC so it generates AVCs

Version-Release number of selected component (if applicable):
OpenDMARC 1.1.3 (based on https://bugzilla.redhat.com/show_bug.cgi?id=905304)

$ rpm -qa | grep selinux

How reproducible:
Install OpenDMARC 1.1.3, configure it, configure milter in Postfix, start OpenDMARC, reload Postfix, send test message to Postfix server, see AVCs being generated

Steps to Reproduce:
1. install and configure OpenDMARC, Postfix
2. send test email to Postfix server
3. see AVCs being generated

Actual results:
OpenDMARC is blocked and interaction between Postfix and OpenDMARC is blocked. 

Expected results:
No blockage, everything working, more spam defeated.

Additional info:

OpenDMARC is another new anti-spam with the Internet's 800 pound gorilla's already using it (Google, Facebook, etc.). Currently it is not yet available in any Fedora or EPEL repo (review in progress in bz905304). Lacking an SELinux policy will prevent OpenDMARC from working properly. To prevent this I am submitting this report in the hopes that when OpenDMARC shows up in Fedora & EPEL it will work out of the box right away.

OpenDMARC works pretty much the same as OpenDKIM so perhaps that policy can be used as a basis to save some time.

The OpenDMARC default config uses the following files, directories and commands:

Config file /etc/opendmarc.conf
BaseDirectory /var/run/opendmarc
HistoryFile /var/spool/opendmarc/opendmarc.dat
IgnoreHosts /etc/opendmarc/ignore.hosts
PidFile /var/run/opendmarc.pid
ReportCommand /usr/sbin/sendmail -t
Socket /var/run/opendmarc/opendmarc.sock
Socket inet:8893@localhost
SyslogFacility mail (must be able to log to /var/log/maillog)
TemporaryDirectory /var/tmp
UserID  opendmarc:mail

The AVCs I found thus far (using socket /var/run/opendmarc/opendmarc.sock):

type=AVC msg=audit(1373546882.708:293036): avc:  denied  { write } for  pid=18947 comm="smtpd" name="opendmarc.sock" dev=vda2 ino=5376619 scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

type=AVC msg=audit(1373546882.708:293036): avc:  denied  { connectto } for  pid=18947 comm="smtpd" path="/var/run/opendmarc/opendmarc.sock" scontext=unconfined_u:system_r:postfix_smtpd_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1373546883.814:293038): avc:  denied  { connectto } for  pid=18977 comm="cleanup" path="/var/run/opendmarc/opendmarc.sock" scontext=unconfined_u:system_r:postfix_cleanup_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=unix_stream_socket

type=AVC msg=audit(1373546873.676:293034): avc:  denied  { read } for  pid=18971 comm="sendmail" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir

If you need more information please let me know. Thanks!
Comment 2 Milos Malik 2013-07-12 05:49:31 EDT
We also need a policy for opendmarc:

# service opendmarc status
opendmarc is stopped
# service opendmarc start
Starting OpenDMARC Milter: [  OK  ]
# service opendmarc status
opendmarc (pid  16994) is running...
# ps -efZ | grep dmarc
unconfined_u:system_r:initrc_t:s0 498    16994     1  0 05:46 ?        00:00:00 /usr/sbin/opendmarc -c /etc/opendmarc.conf -P /var/run/opendmarc/opendmarc.pid
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 17007 12434  0 05:46 pts/0 00:00:00 grep dmarc
Comment 3 Patrick Laimbock 2013-07-19 10:28:14 EDT
Testing an SELinux policy is preferably done on EL6 since that's what my mailserver runs on. So it would be most appreciated if you could make a policy available for EL6 first or in addition to one for Fedora. Thanks!
Comment 4 Miroslav Grepl 2013-07-23 10:15:08 EDT
Could you try to execute

# chcon -t dkim_milter_exec_t /usr/sbin/opendmarc
# chcon -R -t dkim_milter_data_t /var/run/opendmarc /var/spool/opendmarc

and re-test it.

Thank you.
Comment 5 Patrick Laimbock 2013-07-23 14:58:16 EDT
Hi Miroslav. Here are the results:

$ ls -Z /usr/sbin/opendmarc
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/sbin/opendmarc
$ ls -Z /var/spool/opendmarc/
-rw-rw----. opendmarc mail unconfined_u:object_r:var_spool_t:s0 opendmarc.dat

$ sudo chcon -t dkim_milter_exec_t /usr/sbin/opendmarc
$ chcon -R -t dkim_milter_data_t /var/run/opendmarc /var/spool/opendmarc

$ ls -Z /usr/sbin/opendmarc
-rwxr-xr-x. root root system_u:object_r:dkim_milter_exec_t:s0 /usr/sbin/opendmarc
$ ls -Z /var/run/opendmarc /var/spool/opendmarc
-rw-rw----. opendmarc mail unconfined_u:object_r:dkim_milter_data_t:s0 opendmarc.dat

When sending mail I no longer see any AVCs in enforced or in permissive mode in /var/log/audit/audit.log.

Please note that I could only test it with opendmarc using a socket.
Comment 6 Miroslav Grepl 2013-07-24 01:23:20 EDT
I added to Fedora

commit fa78971ce5af7886b1a5f799b558ca38a4086411
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Wed Jul 24 07:21:15 2013 +0200

    Add support for OpenDMARC

and will back port.

Thank you for testing.
Comment 14 errata-xmlrpc 2013-11-21 05:45:15 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.